CVE-2025-13836
CVE Details
Visit the official vulnerability details page for CVE-2025-13836 to learn more.
Initial Publication
12/19/2025
Last Update
01/05/2026
Third Party Dependency
python3.12
NIST CVE Summary
When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.
CVE Severity
Our Official Summary
CVE-2025-13836 is a denial-of-service (DoS) vulnerability in the Python standard library’s HTTP response handling, specifically in the http.client module. A malicious HTTP server could exploit this flaw by sending a crafted or oversized Content-Length header, causing a Python client to allocate excessive memory when reading a response without an explicit read limit.
This issue is reported in the forklift operator and is only applicable when the VM orchestrator is enabled and in use. Exploitation would require an attacker to gain access to the container and execute code within it. However, the container includes safeguards that are designed to prevent arbitrary code execution.
At this time, no upstream fix is available for this vulnerability. Once an official fix is released, it will be evaluated and adopted accordingly.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.8.13 | ⚠️ Impacted | ✅ No Impact | ✅ No Impact | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 01/05/2026 | Status changed from Open to Ongoing |
| 01/05/2026 | Official summary added |
| 12/31/2025 | Advisory assigned with CRITICAL severity |